forked from netwrix/pingcastle
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathchangelog.txt
250 lines (233 loc) · 18.3 KB
/
changelog.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
2.9.0.0
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Information: the 3.0 version of PingCastle will run by default on .net 4 instead of .net 2 (this may break the compatibiliy with Windows 2000)
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
* when building the map, the program was taking the first part of the FQDN as a shortname. Now it uses the Netbios name if it is available
* change tooltip description for the trust section of the healthcheck report
* added the rule S-DC-2008 and S-OS-2008 to check for obsolete 2008 servers which are no longer supported
* Fix: A-AuditDC - GPO at the root level was ignored and OU specific too. Now the GPO is checked per DC.
* Fix: A-AuditDC - Reword the rule A-AuditDC for better understanding
* change A-Krbtgt to be triggered only after 1 year (previously 40 days)
* Fix: In some scanners, the comma was used instead of a tab
* Fix: Avoid a crash if the security descriptor of the msi files cannot be retrieved
* Fix: better switch in case of failure of ADWS to LDAP
* Added the rule A-CertROCA to check for recoverable public key (ROCA vulnerability) [ANSSI: vuln1_certificates_vuln]
* Added the rule A-CertWeakDSA to check for DSA key use in certificate used for digital signature [ANSSI: vuln1_certificates_vuln]
* Added the rule A-CertWeakRsaComponent to check for low RSA exponent
* Added the rule A-WeakRSARootCert2 to check for rsa module length between 1024 & 2048 (friend of A-WeakRSARootCert)
* Added the rule A-DsHeuristicsAllowAnonNSPI to check if the heuristics fAllowAnonNSPI is enabled
* Added the rule P-RODCAllowedGroup to check for the Allowed RODC Password Replication Group group
* Added the rule P-RODCDeniedGroup to check for the Denied RODC Password Replication Group group
* Added the rule A-NTFRSOnSysvol to check the usage of the old protocol NTFRS on SYSVOL replication
* Added the rules A-DnsZoneUpdate1 and A-DnsZoneUpdate2 about DNS unsecure updates
* Added the rule S-DC-Inactive to check for inactive DC
* Added the rule S-PwdLastSet-DC to check for regular password change on DC
* Added the rule T-SIDHistoryDangerous to check for SID lower than 1000 or well known in SIDHistory
* Added the rule S-PwdNeverExpires to check for accounts with never expiring passwords
* Added the rule S-DCRegistration to check if DC are well registered (aka detect fake DC)
* Added the rule P-DelegationDCt2a4d P-DelegationDCa2d2 and P-DelegationDCsourcedeleg for DC delegation analysis
* Added the rule A-PreWin2000Other to be the companion of A-PreWin2000Anonymous
* Added the rule P-ProtectedUsers to check if all privileged accounts are member of the protected users group
* Added the rule S-PwdLastSet-45 and S-PwdLastSet-90 for workstations without the automatic password change disabled
* Added the rule P-AdminPwdTooOld to check for admin passwords older than 3 years
* Added the rule S-NoPreAuthAdmin, which is a split of the rule S-NoPreAuth, to match admins
* Added the rule P-DNSAdmin to check for members of the DNS Admins group
* Added the rule P-RODCRevealOnDemand P-RODCNeverReveal and P-RODCAdminRevealed for RODC checks
* Added the rule P-RODCSYSVOLWrite to check for RODC write access to the SYSVOL volume
* Added the rule A-NoNetSessionHardening to check if the NetCease mitigation has been applied
* Added the rule A-UnixPwd to check for attributes known to contains password
* Added the rule T-AzureADSSO to check for password rotation with AzureAD SSO (AZUREADSSOACC)
* Added the rule S-OS-Win7 to check for Windows 7. PingCastle is looking for support purchased from MS.
* Change the rule reports to include ANSSI rules
* Change the threshold of S-Inactive from 15 to 25% to match user_accounts_dormant rule
* Change the category of P-ControlPathIndirectMany and P-ControlPathIndirectEveryone to the new Control Path category
* Change the rule P-AdminNum to add a new limit of 50 admins
* Change the cagory of the rule P-DelegationEveryone, P-PrivilegeEveryone, P-TrustedCredManAccessPrivilege, P-UnconstrainedDelegation, P-UnkownDelegation
* Change the rule A-MinPwdLen to check only GPO applied to something
* Change the way GPO are evaluated in rules: if the GPO is disabled or not applied, no anomaly is found
* Change the rule A-MembershipEveryone to not trigger an alert when Authenticated users is a member of BUILTIN\Users
* Adding features exclusive for our customers, such as maturity evaluation, and charts
* Added the scanner export_user for a quick user analysis
* Added pagination and search in healthcheck report
* For AdminSDHolder users check, added the date in the report (written as 'Event') when the attribute admincount has been set (via replication metadata)
* Auditor & Enterprise licensee can now brand the report by using Appsettings/BrandLogo for base64 logo and Appsettings/BrandCss & BrandJs for raw Css & Js to inject
* make visible the rule ID in the healthcheck report in the rule description
* Removed BSI reference as the document is not online anymore
* Added ms-mcs-admpwd read check in delegations
* Fix members of admin groups outside the AD were not visible in the report
2.8.0.0
* reworked the way third party components are included in reports for better html auditing (aka Content Security Policy)
* added the rule P-DNSDelegation to check delegation on the MS DNS server which can be used to take control of the domain
* show healthcheck rule detail in a table if possible
* remove the "network configuration operators" group from privileged groups as it has no impact on the domain by itself
* split the allow login / deny login settings from privileges and from DC to another dedicated section
* added the rule P-TrustedCredManAccessPrivilege to match STIG rule V-63843
* added Auto logon info if found in the GPO passwords section
* added the rule P-LogonDenied to check for tiers isolation. Only in application if more than 200 users & 200 computers
* be resilient if a new rule category is added in the future so future reports can be read by this PingCastle version
* fix a problem when control character is found in data (loginscript for example) and cannot be serialized in xml
* added an experimental bluekeep scanner. To avoid AV detection, the code is commented. Decomment and recompile to use it.
* added SeSecurityPrivilege (access to the security event log) in the list of privileges to monitor.
* merged the permission report and the healthcheck report
* added the rule P-ControlPathIndirectEveryone and P-ControlPathIndirectMany for control path analysis
* added the rule A-AuditDC for audit policy
* update to bootstrap 4.4.1
* change the algorithm to locate the server. Faster and compatible with kerberos only domains.
* added the rule A-DCLdapsProtocol looking for SSLv2 and SSLv3 active on DC
* added the rule A-AuditPowershell to check for powershell auditing (informative)
* added the rule S-OS-Vista to check for Vista presence (which is not supported anymore). Windows 7 & 2008 added after extended support stops.
* added honey pot setting to avoid honey pot accounts to be in error
2.7.1.0
* update the TGT delegation algorithm after the July update (new flag CROSS_ORGANIZATION_ENABLE_TGT_DELEGATION)
2.7.0.0
* added a network map inspired from hilbert curves
* fix a bug when doing a map with very complicated data
* adjust the krbtgt last password change when a replication set it to "not set"
* added the rule P-ExchangePrivEsc to check for Exchange misconfiguration at install
* added the rule P-LoginDCEveryone to check if everybody can logon to a DC
* added the rule P-RecycleBin to check for the Recycle Bin feature (at forest level)
* added the rule P-DsHeuristicsAdminSDExMask to check if AdminSDHolder has been disabled for some critical groups
* added the rule P-DsHeuristicsDoListObject to check if the feature DoListObject has been enabled (informative only)
* added the rule P-RecoveryModeUnprotected to check if any user can go into recovery mode without being admin
* added the rule A-LDAPSigningDisabled to check if the LDAP signing mode has been set to None
* added the rule A-DCRefuseComputerPwdChange to check that Domain Controllers don't deny the change of computers account password
* added the rule P-DelegationFileDeployed to check for deployed file via GPO (msi, file copied, ...)
* added the rule T-FileDeployedOutOfDomain to check for deployed file via GPO (msi, file copied, ...) from outside this domain
* added the rule A-NoGPOLLMNR which checks if LLMNR can be used to steal credentials
* added the rule T-TGTDelegation to check for TGT delegation on forest trusts
* added the rule P-Kerberoasting to check for keberoasting (SPN for admin account). A mitigation via a regular password change is allowed.
* update the score produced by the rule S-SMB-v1 from 1 to 10
* fix the scanner command line when targeting multiple computer (single and multiple were inverted)
* added the scanner antivirus
* added the scanner laps_bitlocker
* fix a bug in the graph report when multiple files were examinated in parallele
* add a transition msDS-AllowedToActOnBehalfOfOtherIdentity to the graph report
* fix a bug when computing msDS-Lockout* in PSO (time were divided by 5)
* fix rule A-LMHashAuthorized which were not triggering due to a bug and improved its documentation
* improve the healtcheck report and added a comment to locate the NTLMstore (certificate section)
* fix GPP Password for scheduled task - only 1 out of 4 kind of scheduled tasks were checked
* fix support for missing well known sid S-1-5-32-545 for rules
* fix a tedious bug when using LDAP and when requesting the property Objectclass - it is not available in the result using the native API
* fix a tedious bug when reading SMB2 data (input was inverted with output) which gave inaccurate results regarding signature
* PingCastle does now have a default license and can be run without the .config file
In this case, the compatibility shims are removed and forced under .Net 2 engine. To run under .Net 4, a recompile is needed.
2.6.0.0
* fix a problem for early version of LDAP undetected : in ms-*-AdmPwd, MCS was replaced by company name
* integrate many hidden functions into the "scanner mode" to be more easy to use
* removing the ms17-010 scanner from the source because antivirus are so stupid that they cannot make the difference between a vulnerability scanner & an exploitation kit
* added many scanners (aclscanner, ...)
* breaking change: admin accounts where checks for lock, smart card, ... even if the account is disabled. This is not the case anymore.
* tuned S-DC-SubnetMissing to avoid dealing with local ipv6 loopback address (::1)
* added the rule A-DC-Spooler and the spooler scanner to check for print spooler accessible remotely (used to collect computer credentials via unconstrained delegation)
* added the rule A-NotEnoughDC to check domains have at least 2 DC
* added the rule P-UnconstrainedDelegation to check for unconstrained delegation in kerberos (the data was already reported)
* in relation with P-UnconstrainedDelegation, change the way accounts "trusted for delegation" are selected. Change useraccountcontrol flag from 0x01000000 to 0x80000
* fix in healthcheck report: the reversible password detail section was only displayed if there was unconstrained delegation in the domain
* added the rule P-ExchangeAdminSDHolder to check for the Exchange modification of the AdminSDHolder object
* added the rule P-DelegationKeyAdmin to check for boggus Windows 2016 installation
* added the (informative) rule P-OperatorsEmpty to check the recommandation to have the account and server operators empty
* added the rule P-DelegationGPOData to check for too large permissions granted to GPO items
* added the rule P-PrivilegeEveryone to check for too large GPO assigned privileges
* adjust the Domain Controller selection for tests (aka: number of DC in a domain & checks performed on them)
* remove the --split-OU technique which was not used and add an automatic protocol fallback in case of failure (ADWS then LDAP for example)
* allow the use of LDAPS via the --port 636 command switch
* fix a couple of problem in PingCastleReporting (incorrect numbers, wrong label, inability to load some configuration)
* Migrate from Bootstrap 3 to Bootstrap 4
* fix some mono incompatibility
* fix crash when analysing gpo where scheduled task password is being stored
* fix A-NoServicePolicy which was triggered when i shouldn't and vice versa
* add support for Windows 2019
* fix DnsAdminGroup not found when moved in another OU
* fix rootDse listing when using credential & required bind
* extended the rule S-DesEnabled to check also computers account
* add to the report a link in rules to sections of the report to get more insight
2.5.2.0
* fix a problem when a dc has been removed but not its computer account but its dns record
* fix a problem when for the rule A-SmartCardRequired which was triggered each time a "smart card required" account was found
* fix: the decryption process was broken as successful descryption always triggered a failure
* fix S-DC-SubnetMissing when subnet are duplicated (contains CNF and generated from replication problem)
* fix NT4 mismatch if the year was not present and include the word "dataceNTer"
* add a check for "smart card required" for administrator accounts
* reworked the menu to be more interactive
2.5.0.0
* rewrote all rules description / rationale / etc
* added start and end date for exception
* breaking: change the date at which the exception / migration is evaluated from current date to report generation date
* new rules: A-SMB2SignatureNotEnabled A-SMB2SignatureNotRequired S-DC-SubnetMissing P-DelegationLoginScript
* added an experimental scanner for replication usn check
* allows DNS Admin group to be moved to another OU than CN=Users (as a reminder, the group is selected based on its description)
* fix logon logoff script label inverted
* allow users to be in the guest group for their primary group (was Domain Users only before)
* record more details about the operating systems (and adapt the reload of previous reports)
* the rule A-LAPS-Not-Installed, previously informative, now scores 15 points. If the local admin password is set at install, the rule should be put in exception.
* many adaptation to be used with Ping Castle Enterprise
2.4.3.1
* add schemainfo checks
* rework the way replication metadata is collected
2.4.3.0
* fix compatibility problem with windows 2000
* fix bugs relative to --no-enum-limit, adminsdholder check, sidhistory without whencreated, reloading without threat model
* add check related to replication metadata (dsasignature, KrbtgtLastVersion)
* minor changes in the powerpoint reporting (more detail on the reporting frequency)
* new rule for mandatory AD backup (microsoft procedure)
* minor change in reporting (alphabetically order for risk model, ...)
2.4.2.0
* risk model in the healthcheck report
* checking for LAPS install
* scanner for ms17-010 (not in healthcheck)
* small report improvements
* small bug fixing (ex: if AdminSDHolder denied to authentiated users)
2.4.1.1
* better Samba compatibility (linux DC)
* added smb check functionalities & scanner for workstation
* added support for PSO
* rewrote "scanner" functionalities to be more user friendly
* adding dnsadmins as privileged group following https://medium.com/@esnesenon/feature-not-bug-dnsadmin-to-dc-compromise-in-one-line-a0f779b8dc83
2.4.1.0
* modified the healthcheck report and consolidation to be responsive
* added in PingCastleReporting the risk map (link between BU & entities)
* added in PingCastleReporting the Rules report (matched and explanation) and removed --export-hc-rule in PingCastle
* reworked the report to add a DC view (last startup - for patches, creation date, if presence of null session)
* add an alert for MS14-068 via startuptime
* changed P-AdminNum to be less strict (especially for forest root) and A-Krbtgt to be less agressive
* improve the explanation of some rules
* various bug fixes in PingCastleReporting
2.4.0.1
* modified some KPI in PingCastleReporting overview
* added the flag --smtptls
* modified the score computation algorithm to take part of migration information in the past (showing evolution of score)
* modify the bad primary group count by excluding members of guests group
2.4.0.0
* program rebranded to PingCastle
* added PingCastleReporting for management reports (powerpoint, history, ...)
* reworked the advanced module
- added the live mode for advanced report
* handle many domains with the same FQDN (but different sid)
* rewrote the "Unknown domain" algorithm in xls which is reusing the graph made at consolidation
* add option to set an exception for all domains (set domain as "*" in the xls file)
* add all --explore options
* rules A-LoginScript, P-Disabled and S-PwdNeverExpires disabled
* added the rule P-DCOwner to check for DC ownership
* lowering the points to 0 for P-ServiceDomainAdmin if the passwords are changed regulary
* add netbios / sid information for forest of domains found indirectly (for matching existing domains)
* modify the simple node graph to add intermediate score and BU/Entity information when available
* added mail notification option if mail is read & smtp credential on command line
* added "details" for rules which are difficult to understand without specifics
* added the domain root for the delegation check
* disabled the check on dangerous permissions for migration sid history and unexpire password (too much false positives)
* added sidhistory information for groups to the sidhistory user information (to not forget to remove sidhistory for groups)
2.3.0.1 (cert-ist forum version)
* add the reachable mode (disabled by default, enabled by default if domain=* and used in interactive mode)
This mode scans for domains outside trusts. Discover new domains when run on trusted domains.
* Reworked the domain maps for visualization and inclusing of the reachable mode data.
* Add Netbios information in the trust information to be able to match some reachable mode data.
* Remove the requirement for ADWS. LDAP is used if ADWS is not available (LDAP is far more slower than ADWS)
2.2.1.5
fix a problem when a distinguished name of an admin contain LDAP request char
2.2.1.4
fix a problem in the consolidation
fix a problem if a login script is invalid and cannot be parsed as a url
2.2.1.3
bug fixing (null session enabled on forest side, PreWin2000 group empty)
Simplify full graph with bidirectional nodes & red color for unprotected trusts
add a simplified graph